#!/bin/bash
#
# Build script for Swift munki tools, builds a distribution package.


# Defaults.
PKGID="com.googlecode.munki"
MUNKIROOT="."
# Convert to absolute path.
MUNKIROOT=$(cd "$MUNKIROOT"; pwd)
OUTPUTDIR="."
# Convert to absolute path.
OUTPUTDIR=$(cd "$OUTPUTDIR"; pwd)
CONFPKG=""
# add this number to Git revision index to get "build" number
# consistent with old SVN repo
MAGICNUMBER=482
PYTHONPKG=NO
PYTHONLIBS=NO
PKGSIGNINGCERT=""
APPSIGNINGCERT=""
BOOTSTRAPPKG=NO
AUTORUNPKG=NO
CONFPKG=NO
MDMSTYLE=NO
ORGNAME=macOS
ROSETTA2=NO
CLIENTCERTPKG=NO

# try to automagically find Munki source root
TOOLSDIR=$(dirname "$0")
# Convert to absolute path.
TOOLSDIR=$(cd "$TOOLSDIR"; pwd)
PARENTDIR=$(dirname "$TOOLSDIR")
PARENTDIRNAME=$(basename "$PARENTDIR")
if [ "$PARENTDIRNAME" == "code" ]; then
    GRANDPARENTDIR=$(dirname "$PARENTDIR")
    GRANDPARENTDIRNAME=$(basename "$GRANDPARENTDIR")
    if [ "$GRANDPARENTDIRNAME" == "munki" ]; then
        MUNKIROOT="$GRANDPARENTDIR"
    fi
fi


usage() {
    cat <<EOF
Usage: $(basename "$0") [-i id] [-r root] [-o dir] [-c package] [-s cert]

    -i id       Specify the base package bundle ID
    -r root     Specify the Munki source root
    -o dir      Specify the output directory
    -n orgname  Specify the name of the organization
    -p          Build and include a Python interpreter package (munki-python)
    -P          Include a package that installs the Munki python libraries 
                (munkilib)
    -B          Include a package that sets Munki's bootstrap mode
    -A          Auto run managedsoftwareupdate immediately after install. This
                really should be used only with DEP/ADM enrollments.
    -c plist    Build a configuration package using the preferences defined in a
                plist file.
    -R          Include a pkg to install Rosetta2 on ARM-based hardware.
    -s cert_cn  Sign distribution package with a Developer ID Installer
                certificate from keychain. Provide the certificate's Common
                Name. Ex: "Developer ID Installer: Munki (U8PN57A5N2)"
    -S cert_cn  Sign apps with a Developer ID Application certificate from
                keychain. Provide the certificate's Common Name.
                Ex: "Developer ID Application: Munki (U8PN57A5N2)"
    -T pemfile  Include a pkg to install a client certificate for server mTLS
                mutual authentication, at /Library/Managed Installs/certs/.

EOF
}


while getopts "i:r:o:n:c:s:S:T:pPBAhR" option
do
    case $option in
        "i")
            PKGID="$OPTARG"
            ;;
        "r")
            MUNKIROOT="$OPTARG"
            ;;
        "o")
            OUTPUTDIR="$OPTARG"
            ;;
        "n")
            ORGNAME="$OPTARG"
            ;;
        "c")
            CONFPLIST="$OPTARG"
            CONFPKG=YES
            ;;
        "s")
            PKGSIGNINGCERT="$OPTARG"
            ;;
        "S")
            APPSIGNINGCERT="$OPTARG"
            ;;
        "p")
            PYTHONPKG=YES
            ;;
        "P")
            PYTHONLIBS=YES
            ;;
        "B")
            BOOTSTRAPPKG=YES
            ;;
        "A")
            AUTORUNPKG=YES
            ;;
        "R")
            ROSETTA2=YES
            ;;
        "T")
            CLIENTCERT="$OPTARG"
            CLIENTCERTPKG=YES
            ;;
        "h" | *)
            usage
            exit 1
            ;;
    esac
done
shift $((OPTIND - 1))

if [ $# -ne 0 ]; then
    usage
    exit 1
fi

if [ ! -d "$MUNKIROOT" ]; then
    echo "Please set the munki source root" 1>&2
    exit 1
else
    # Convert to absolute path.
    MUNKIROOT=$(cd "$MUNKIROOT"; pwd)
fi

if [ ! -d "$OUTPUTDIR" ]; then
    echo "Please set the output directory" 1>&2
    exit 1
fi

# Sanity checks.
if ! which git 1>/dev/null ; then
    echo "Could not find git in command path. Maybe it's not installed?" 1>&2
    echo "You can get a Git package here:" 1>&2
    echo "    https://git-scm.com/download/mac"
    exit 1
fi
if [ ! -x "/usr/bin/pkgbuild" ]; then
    echo "pkgbuild is not installed!" 1>&2
    exit 1
fi
if [ ! -x "/usr/bin/productbuild" ]; then
    echo "productbuild is not installed!" 1>&2
    exit 1
fi
if [ ! -x "/usr/bin/xcodebuild" ]; then
    echo "xcodebuild is not installed!" 1>&2
    exit 1
fi
if [[ "$CONFPKG" == "YES" ]] ; then
    CONFDIRPATH="$(cd "$(dirname "$CONFPLIST")" ; pwd)"
    CONFPLISTNAME="$(basename "$CONFPLIST")"
    CONFFULLPATH="${CONFDIRPATH}/${CONFPLISTNAME}"
    if ! defaults read "$CONFFULLPATH" 1>/dev/null ; then
        echo "Could not read $CONFFULLPATH, or invalid plist!"
        exit 1
    fi
fi
if [[ "$CLIENTCERTPKG" == "YES" ]] ; then
    CLIENTCERTPEMCHECK="$(sudo /usr/bin/file "$CLIENTCERT" 2>/dev/null)"
    if [[ ! $CLIENTCERTPEMCHECK =~ "PEM certificate" ]] ; then
        echo "Could not read $CLIENTCERT, or invalid PEM file!"
        exit 1
    fi
fi

VERSIONFILE="$MUNKIROOT/code/cli/munki/shared/version.swift"
# Check to see if file exists
if [ -f "${VERSIONFILE}" ]; then
    # Get the munki version
    MUNKIVERS=$(grep "let CLI_TOOLS_VERSION =" "${VERSIONFILE}" | awk -F'"' '$0=$2')
    if [ "$?" != "0" ]; then
        echo "${VERSIONFILE} can not be read" 1>&2
        exit 1
    fi
else
    echo "${VERSIONFILE} is missing" 1>&2
    exit 1
fi

# Build the Python framework if requested
if [ "$PYTHONPKG" == "YES" ] ; then
    PYTHONBUILDTOOL="${TOOLSDIR}/build_python_framework.sh"
    if [ ! -x "${PYTHONBUILDTOOL}" ] ; then
        echo "${PYTHONBUILDTOOL} is missing!" 1>&2
        exit 1
    fi
    echo "Building Python.framework..."
    if ! "${PYTHONBUILDTOOL}" ; then
        echo "Building Python.framework failed!" 1>&2
        exit 1
    fi
fi

cd "$MUNKIROOT"
# generate a pseudo-svn revision number for the core tools (and admin tools)
# from the list of Git revisions
GITREV=$(git log -n1 --format="%H" -- code/cli/munki)
GITREVINDEX=$(git rev-list --count "$GITREV")
SVNREV=$((GITREVINDEX + MAGICNUMBER))
DISTPKGSVNREV=$SVNREV
VERSION=$MUNKIVERS.$SVNREV

# get a pseudo-svn revision number for the apps pkg
APPSGITREV=$(git log -n1 --format="%H" -- code/apps)
GITREVINDEX=$(git rev-list --count "$APPSGITREV")
APPSSVNREV=$((GITREVINDEX + MAGICNUMBER))
if [ $APPSSVNREV -gt $DISTPKGSVNREV ] ; then
    DISTPKGSVNREV=$APPSSVNREV
fi

MUNKILIBVERS=6.6.5
if [ "$PYTHONLIBS" == "YES" ] ; then
    # generate a version number for the Python libs
    MUNKILIBVERSFILE="$MUNKIROOT/code/client/munkilib/version.plist"
    # Check to see if file exists
    if [ -f "$MUNKILIBVERSFILE" ]; then
        # Get the version
        MUNKILIBVERS=$(defaults read "$MUNKILIBVERSFILE" CFBundleShortVersionString)
        if [ "$?" != "0" ]; then
            echo "${MUNKILIBVERSFILE}.plist can not be read" 1>&2
            exit 1
        fi
    fi
    # generate a pseudo-svn revision number for the python libs
    # from the list of Git revisions
    PYTHONLIBSGITREV=$(git log -n1 --format="%H" -- code/client/munkilib)
    GITREVINDEX=$(git rev-list --count "$PYTHONLIBSGITREV")
    PYTHONLIBSSVNREV=$((GITREVINDEX + MAGICNUMBER))
    PYTHONLIBSVERSION=$MUNKILIBVERS.$PYTHONLIBSSVNREV
fi

# get base apps version from MSC.app
APPSVERSION=$(defaults read "$MUNKIROOT/code/apps/Managed Software Center/Managed Software Center/Info" CFBundleShortVersionString)
# append the APPSSVNREV
APPSVERSION=$APPSVERSION.$APPSSVNREV

# get a pseudo-svn revision number for the launchd pkg
LAUNCHDGITREV=$(git log -n1 --format="%H" -- launchd/LaunchDaemons launchd/LaunchAgents)
GITREVINDEX=$(git rev-list --count "$LAUNCHDGITREV")
LAUNCHDSVNREV=$((GITREVINDEX + MAGICNUMBER))
if [ $LAUNCHDSVNREV -gt $DISTPKGSVNREV ] ; then
    DISTPKGSVNREV=$LAUNCHDSVNREV
fi
# Get launchd version if different
LAUNCHDVERSION=$MUNKIVERS
if [ -e "$MUNKIROOT/launchd/version.plist" ]; then
    LAUNCHDVERSION=$(defaults read "$MUNKIROOT/launchd/version" CFBundleShortVersionString)
fi
LAUNCHDVERSION=$LAUNCHDVERSION.$LAUNCHDSVNREV

# get a pseudo-svn revision number for the Python pkg.
# Yes this is a bit broad, but better than too narrow!
PYTHONGITREV=$(git log -n1 --format="%H" -- code/tools)
GITREVINDEX=$(git rev-list --count "$PYTHONGITREV")
PYTHONSVNREV=$((GITREVINDEX + MAGICNUMBER))
if [ $PYTHONSVNREV -gt $DISTPKGSVNREV ] ; then
    DISTPKGSVNREV=$PYTHONSVNREV
fi
if [ "$PYTHONPKG" == "YES" ] ; then
    # Get Python version
    PYTHONVERSION="NOT FOUND"
    PYTHONINFOPLIST="$MUNKIROOT"/Python.framework/Versions/Current/Resources/Info.plist
    if [ -f "$PYTHONINFOPLIST" ]; then
        PYTHONVERSION=$(defaults read "$PYTHONINFOPLIST" CFBundleVersion)
    fi
    PYTHONVERSION=$PYTHONVERSION.$PYTHONSVNREV
fi

# get a pseudo-svn revision number for the metapackage
DISTPKGVERSION=$MUNKIVERS.$DISTPKGSVNREV

DISTPKG="$OUTPUTDIR/munkitools-$DISTPKGVERSION.pkg"


if [ "$(id -u)" -ne 0 ]; then
    cat <<EOF

            #####################################################
            ##  Please enter your sudo password when prompted  ##
            #####################################################

EOF
fi

echo "Build variables"
echo
echo "  munki core tools version: $VERSION"
echo "  LaunchAgents/LaunchDaemons version: $LAUNCHDVERSION"
echo "  Apps package version: $APPSVERSION"
echo
echo "  metapackage version: $DISTPKGVERSION"
echo
echo "  Bundle ID: $PKGID"
echo "  Munki source root: $MUNKIROOT"
echo "  Output directory: $OUTPUTDIR"
echo
echo "  Include Python pkg: $PYTHONPKG"
if [ "$PYTHONPKG" == "YES" ] ; then
    echo "    Python package version: $PYTHONVERSION"
fi
echo "  Include Python libraries (munkilib) pkg: $PYTHONLIBS"
if [ "$PYTHONLIBS" == "YES" ]; then
    echo "    Python libs package version: $PYTHONLIBSVERSION"
fi
echo "  Include bootstrap pkg: $BOOTSTRAPPKG"
echo "  Include autorun pkg: $AUTORUNPKG"
echo "  Include Rosetta2: $ROSETTA2"
if [ "$CONFPKG" == "YES" ] ; then
    echo "  Include config pkg built with plist: $CONFFULLPATH"
else
    echo "  Include config pkg: NO"
fi
if [ "$CLIENTCERTPKG" == "YES" ] ; then
    echo "  Include client cert pkg built with PEM file: $CLIENTCERT"
else
    echo "  Include client cert pkg: NO"
fi
echo
if [ "$APPSIGNINGCERT" != "" ] ; then
    echo "  Sign code with keychain cert: $APPSIGNINGCERT"
else
    echo "  Sign code: NO"
fi
if [ "$PKGSIGNINGCERT" != "" ] ; then
    echo "  Sign package with keychain cert: $PKGSIGNINGCERT"
else
    echo "  Sign package: NO"
fi
echo

# modify version.swift to contain build number
sed -i.bak "s/<BUILD_GOES_HERE>/${SVNREV}/g" "${VERSIONFILE}"

# Build munki cli tools
echo "Building munki cli tools..."
"${MUNKIROOT}/code/tools/build_swift_munki.sh" > /dev/null
MUNKICLI_RESULT="$?"
if [ "$MUNKICLI_RESULT" -ne 0 ]; then
    echo "Error building Munki cli tools: $MUNKICLI_RESULT"
    exit 2
fi

# reset build number in version.swift
mv "${VERSIONFILE}.bak" "${VERSIONFILE}"

# Build Managed Software Center.
echo "Building Managed Software Center.xcodeproj..."
pushd "$MUNKIROOT/code/apps/Managed Software Center" > /dev/null
/usr/bin/xcodebuild -project "Managed Software Center.xcodeproj" -alltargets clean > /dev/null
/usr/bin/xcodebuild -project "Managed Software Center.xcodeproj" -alltargets build > /dev/null
XCODEBUILD_RESULT="$?"
popd > /dev/null
if [ "$XCODEBUILD_RESULT" -ne 0 ]; then
    echo "Error building Managed Software Center.app: $XCODEBUILD_RESULT"
    exit 2
fi

MSCAPP="$MUNKIROOT/code/apps/Managed Software Center/build/Release/Managed Software Center.app"
if [ ! -e "$MSCAPP" ]; then
    echo "Need a release build of Managed Software Center.app!"
    echo "Open the Xcode project $MUNKIROOT/code/apps/Managed Software Center/Managed Software Center.xcodeproj and build it."
    exit 2
else
    MSCVERSION=$(defaults read "$MSCAPP/Contents/Info" CFBundleShortVersionString)
    echo "Managed Software Center.app version: $MSCVERSION"
fi

# Build MunkiStatus
echo "Building MunkiStatus.xcodeproj..."
pushd "$MUNKIROOT/code/apps/MunkiStatus" > /dev/null
/usr/bin/xcodebuild -project "MunkiStatus.xcodeproj" -alltargets clean > /dev/null
/usr/bin/xcodebuild -project "MunkiStatus.xcodeproj" -alltargets build > /dev/null
XCODEBUILD_RESULT="$?"
popd > /dev/null
if [ "$XCODEBUILD_RESULT" -ne 0 ]; then
    echo "Error building MunkiStatus.app: $XCODEBUILD_RESULT"
    exit 2
fi

MSAPP="$MUNKIROOT/code/apps/MunkiStatus/build/Release/MunkiStatus.app"
if [ ! -e  "$MSAPP" ]; then
    echo "Need a release build of MunkiStatus.app!"
    echo "Open the Xcode project $MUNKIROOT/code/apps/MunkiStatus/MunkiStatus.xcodeproj and build it."
    exit 2
else
    MSVERSION=$(defaults read "$MSAPP/Contents/Info" CFBundleShortVersionString)
    echo "MunkiStatus.app version: $MSVERSION"
fi

# Build munki-notifier
echo "Building munki-notifier.xcodeproj..."
pushd "$MUNKIROOT/code/apps/munki-notifier" > /dev/null
/usr/bin/xcodebuild -project "munki-notifier.xcodeproj" -alltargets clean > /dev/null
/usr/bin/xcodebuild -project "munki-notifier.xcodeproj" -alltargets build > /dev/null
XCODEBUILD_RESULT="$?"
popd > /dev/null
if [ "$XCODEBUILD_RESULT" -ne 0 ]; then
    echo "Error building munki-notifier.app: $XCODEBUILD_RESULT"
    exit 2
fi

NOTIFIERAPP="$MUNKIROOT/code/apps/munki-notifier/build/Release/munki-notifier.app"
if [ ! -e  "$NOTIFIERAPP" ]; then
    echo "Need a release build of munki-notifier.app!"
    echo "Open the Xcode project $MUNKIROOT/code/apps/notifier/munki-notifier.xcodeproj and build it."
    exit 2
else
    NOTIFIERVERSION=$(defaults read "$NOTIFIERAPP/Contents/Info" CFBundleShortVersionString)
    echo "munki-notifier.app version: $NOTIFIERVERSION"
fi

# Create a PackageInfo file.
makeinfo() {
    pkg="$1"
    out="$2_$pkg"
    if [ "$3" == "restart" ]; then
        restart='postinstall-action="restart"'
    else
        restart=""
    fi
    cat > "$out" <<EOF
<pkg-info format-version="2" install-location="/" auth="root" $restart>
</pkg-info>
EOF
}


# Pre-package-build cleanup.

if ! rm -rf "$DISTPKG" ; then
    echo "Error removing $DISTPKG before rebuilding it."
    exit 2
fi


# Create temporary directory
PKGTMP=$(mktemp -d -t munkipkg)


#########################################
## core munki tools                    ##
## /usr/local/munki, minus admin tools ##
## plus /Library/Managed Installs      ##
#########################################
echo
echo "Creating core package template..."

# Create directory structure.
COREROOT="$PKGTMP/munki_core"
mkdir -m 1775 "$COREROOT"
mkdir -m 755 "$COREROOT/usr"
mkdir -m 755 "$COREROOT/usr/local"
mkdir -m 755 "$COREROOT/usr/local/munki"
mkdir -m 755 "$COREROOT/usr/local/munki/libexec"
# Copy command line utilities.
# edit this if list of tools changes!
for TOOL in removepackages managedsoftwareupdate
do
    cp -X "$MUNKIROOT/code/build/binaries/$TOOL" "$COREROOT/usr/local/munki/" 2>&1
    # sign tool
    if [ "$APPSIGNINGCERT" != "" ]; then
        echo "Signing $TOOL..."
        /usr/bin/codesign -f -s "$APPSIGNINGCERT" \
            --preserve-metadata=entitlements \
            --options runtime --timestamp --verbose \
            "$COREROOT/usr/local/munki/$TOOL"
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing $TOOL: $SIGNING_RESULT"
            exit 2
        fi
    fi
done
for TOOL in authrestartd launchapp logouthelper precache_agent
do
    cp -X "$MUNKIROOT/code/build/binaries/$TOOL" "$COREROOT/usr/local/munki/libexec/" 2>&1
    # sign tool
    if [ "$APPSIGNINGCERT" != "" ]; then
        echo "Signing $TOOL..."
        /usr/bin/codesign -f -s "$APPSIGNINGCERT" \
            --preserve-metadata=entitlements \
            --options runtime --timestamp --verbose \
            "$COREROOT/usr/local/munki/libexec/$TOOL"
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing $TOOL: $SIGNING_RESULT"
            exit 2
        fi
    fi
done

# Set permissions.
chmod -R go-w "$COREROOT/usr/local/munki"
chmod +x "$COREROOT/usr/local/munki"
chmod +x "$COREROOT/usr/local/munki/libexec"

# make paths.d file
mkdir -m 755 "$COREROOT/private"
mkdir -m 755 "$COREROOT/private/etc/"
mkdir -m 755 "$COREROOT/private/etc/paths.d"
echo "/usr/local/munki" > "$COREROOT/private/etc/paths.d/munki"
chmod 644 "$COREROOT/private/etc/paths.d/munki"

# Create directory structure for /Library/Managed Installs.
mkdir -m 1775 "$COREROOT/Library"
mkdir -m 755 "$COREROOT/Library/Managed Installs"
mkdir -m 750 "$COREROOT/Library/Managed Installs/Cache"
mkdir -m 750 "$COREROOT/Library/Managed Installs/catalogs"
mkdir -m 755 "$COREROOT/Library/Managed Installs/manifests"

# copy in core cleanup scripts
if [ -d "$MUNKIROOT/code/tools/pkgresources/core_cleanup_scripts/" ] ; then
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/core_cleanup_scripts/" "$COREROOT/usr/local/munki/cleanup/"
fi

# Create package info file.
makeinfo core "$PKGTMP/info" norestart


#########################################
## admin munki tools                   ##
## /usr/local/munki admin tools        ##
#########################################

echo "Creating admin package source..."

# Create directory structure.
ADMINROOT="$PKGTMP/munki_admin"
mkdir -m 1775 "$ADMINROOT"
mkdir -m 755 "$ADMINROOT/usr"
mkdir -m 755 "$ADMINROOT/usr/local"
mkdir -m 755 "$ADMINROOT/usr/local/munki"
# Copy command line admin utilities.
# edit this if list of tools changes!
for TOOL in makecatalogs makepkginfo manifestutil munkiimport iconimporter repoclean 
do
    cp -X "$MUNKIROOT/code/build/binaries/$TOOL" "$ADMINROOT/usr/local/munki/" 2>&1
    # sign tool
    if [ "$APPSIGNINGCERT" != "" ]; then
        echo "Signing $TOOL..."
        /usr/bin/codesign -f -s "$APPSIGNINGCERT" \
            --preserve-metadata=entitlements \
            --options runtime --timestamp --verbose \
            "$ADMINROOT/usr/local/munki/$TOOL"
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing $TOOL: $SIGNING_RESULT"
            exit 2
        fi
    fi
done
# Set permissions.
chmod -R go-w "$ADMINROOT/usr/local/munki"
chmod +x "$ADMINROOT/usr/local/munki"

# make paths.d file
mkdir -m 755 "$ADMINROOT/private"
mkdir -m 755 "$ADMINROOT/private/etc"
mkdir -m 755 "$ADMINROOT/private/etc/paths.d"
echo "/usr/local/munki" > "$ADMINROOT/private/etc/paths.d/munki"
chmod 644 "$ADMINROOT/private/etc/paths.d/munki"

# copy in admin cleanup scripts
if [ -d "$MUNKIROOT/code/tools/pkgresources/admin_cleanup_scripts/" ] ; then
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/admin_cleanup_scripts/" "$ADMINROOT/usr/local/munki/cleanup/"
fi

# Create package info file.
makeinfo admin "$PKGTMP/info" norestart


##################
## Swift dylibs ##
##################

echo "Creating Swift dylib package source..."

LIBSROOT="$PKGTMP/munki_libs"
mkdir -m 1775 "$LIBSROOT"
mkdir -m 755 "$LIBSROOT/usr"
mkdir -m 755 "$LIBSROOT/usr/local"
mkdir -m 755 "$LIBSROOT/usr/local/munki"
mkdir -m 755 "$LIBSROOT/usr/local/munki/lib"

# copy in needed Swift dylibs
CONCURRENCY_DYLIB="$(xcode-select -p)/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.5/macosx/libswift_Concurrency.dylib"
cp "$CONCURRENCY_DYLIB" "$LIBSROOT/usr/local/munki/lib/"

# Create package info file.
makeinfo libs "$PKGTMP/info" norestart


###################
## /Applications ##
###################

echo "Creating applications package source..."

# Create directory structure.
APPROOT="$PKGTMP/munki_app"
mkdir -m 1775 "$APPROOT"
mkdir -m 775 "$APPROOT/Applications"
# Copy Managed Software Center application.
cp -R "$MSCAPP" "$APPROOT/Applications/"
# Create Helper directory
mkdir -m 775 "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/"
# Copy MunkiStatus helper app
cp -R "$MSAPP" "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/"
# Copy notifier helper app
cp -R "$NOTIFIERAPP" "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/"
# make sure not writeable by group or other
chmod -R go-w "$APPROOT/Applications/Managed Software Center.app"

# sign MSC app
if [ "$APPSIGNINGCERT" != "" ]; then
    echo "Signing Managed Software Center.app Bundles..."
    /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose \
        "$APPROOT/Applications/Managed Software Center.app/Contents/PlugIns/MSCDockTilePlugin.docktileplugin" \
        "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/munki-notifier.app"
    SIGNING_RESULT="$?"
    if [ "$SIGNING_RESULT" -ne 0 ]; then
        echo "Error signing Managed Software Center.app: $SIGNING_RESULT"
        exit 2
    fi

    # Frameworks may or may not exist depending on OS target and linked Frameworks
    if [ -e "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/MunkiStatus.app/Contents/Frameworks" ] ; then
        echo "Signing MunkiStatus.app Frameworks..."
        /usr/bin/find "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/MunkiStatus.app/Contents/Frameworks" -type f -perm -u=x -exec /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose {} \;
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing MunkiStatus.app Frameworks: $SIGNING_RESULT"
            exit 2
        fi
    fi

    # Frameworks may or may not exist depending on OS target and linked Frameworks
    if [ -e "$APPROOT/Applications/Managed Software Center.app/Contents/Frameworks" ] ; then
        echo "Signing Managed Software Center.app Frameworks..."
        /usr/bin/find "$APPROOT/Applications/Managed Software Center.app/Contents/Frameworks" -type f -perm -u=x -exec /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose {} \;
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing Managed Software Center.app Frameworks: $SIGNING_RESULT"
            exit 2
        fi
    fi

    echo "Signing Managed Software Center.app..."
    /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose \
        "$APPROOT/Applications/Managed Software Center.app/Contents/Helpers/MunkiStatus.app" \
        "$APPROOT/Applications/Managed Software Center.app"
    SIGNING_RESULT="$?"
    if [ "$SIGNING_RESULT" -ne 0 ]; then
        echo "Error signing Managed Software Center.app: $SIGNING_RESULT"
        exit 2
    fi
fi

# copy in app cleanup scripts
if [ -d "$MUNKIROOT/code/tools/pkgresources/app_cleanup_scripts/" ] ; then
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/app_cleanup_scripts/" "$APPROOT/usr/local/munki/cleanup/"
fi

# Create package info file.
makeinfo app "$PKGTMP/info" norestart


##############
## launchd ##
##############

echo "Creating launchd package source..."

# Create directory structure.
LAUNCHDROOT="$PKGTMP/munki_launchd"
mkdir -m 1775 "$LAUNCHDROOT"
mkdir -m 1775 "$LAUNCHDROOT/Library"
mkdir -m  755 "$LAUNCHDROOT/Library/LaunchAgents"
mkdir -m  755 "$LAUNCHDROOT/Library/LaunchDaemons"
mkdir -m  755 "$LAUNCHDROOT/usr"
mkdir -m  755 "$LAUNCHDROOT/usr/local"
mkdir -m  755 "$LAUNCHDROOT/usr/local/munki"
mkdir -m  755 "$LAUNCHDROOT/usr/local/munki/libexec"

# Copy launch daemons and launch agents.
cp -X "$MUNKIROOT/launchd/LaunchAgents/"*.plist "$LAUNCHDROOT/Library/LaunchAgents/"
chmod 644 "$LAUNCHDROOT/Library/LaunchAgents/"*
cp -X "$MUNKIROOT/launchd/LaunchDaemons/"*.plist "$LAUNCHDROOT/Library/LaunchDaemons/"
chmod 644 "$LAUNCHDROOT/Library/LaunchDaemons/"*

# Copy tools.
# edit this if list of tools changes!
for TOOL in installhelper
do
	cp -X "$MUNKIROOT/code/build/binaries/$TOOL" "$LAUNCHDROOT/usr/local/munki/libexec/" 2>&1
    # sign tool
    if [ "$APPSIGNINGCERT" != "" ]; then
        echo "Signing $TOOL..."
        /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose "$LAUNCHDROOT/usr/local/munki/libexec/$TOOL"
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing $TOOL: $SIGNING_RESULT"
            exit 2
        fi
    fi
done
# Set permissions.
chmod -R go-w "$LAUNCHDROOT/usr/local/munki"
chmod +x "$LAUNCHDROOT/usr/local/munki"
chmod +x "$LAUNCHDROOT/usr/local/munki/libexec"

# copy in launchd cleanup scripts
if [ -d "$MUNKIROOT/code/tools/pkgresources/launchd_cleanup_scripts/" ] ; then
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/launchd_cleanup_scripts/" "$LAUNCHDROOT/usr/local/munki/cleanup/"
fi

# Create package info file.
makeinfo launchd "$PKGTMP/info" norestart


#######################
## app_usage_monitor ##
#######################

echo "Creating app_usage package source..."

# Create directory structure.
APPUSAGEROOT="$PKGTMP/munki_app_usage"
mkdir -m 1775 "$APPUSAGEROOT"
mkdir -m 1775 "$APPUSAGEROOT/Library"
mkdir -m 755 "$APPUSAGEROOT/Library/LaunchAgents"
mkdir -m 755 "$APPUSAGEROOT/Library/LaunchDaemons"
mkdir -m 755 "$APPUSAGEROOT/usr"
mkdir -m 755 "$APPUSAGEROOT/usr/local"
mkdir -m 755 "$APPUSAGEROOT/usr/local/munki"
mkdir -m 755 "$APPUSAGEROOT/usr/local/munki/libexec"
# Copy launch agent, launch daemon, daemon, and agent
# LaunchAgent
cp -X "$MUNKIROOT/launchd/app_usage_LaunchAgent/"*.plist "$APPUSAGEROOT/Library/LaunchAgents/"
chmod 644 "$APPUSAGEROOT/Library/LaunchAgents/"*
# LaunchDaemon
cp -X "$MUNKIROOT/launchd/app_usage_LaunchDaemon/"*.plist "$APPUSAGEROOT/Library/LaunchDaemons/"
chmod 644 "$APPUSAGEROOT/Library/LaunchDaemons/"*
# Copy tools.
# edit this if list of tools changes!
for TOOL in appusaged app_usage_monitor installhelper
do
	cp -X "$MUNKIROOT/code/build/binaries/$TOOL" "$APPUSAGEROOT/usr/local/munki/libexec/" 2>&1
    # sign tool
    if [ "$APPSIGNINGCERT" != "" ]; then
        echo "Signing $TOOL..."
        /usr/bin/codesign -f -s "$APPSIGNINGCERT" --options runtime --timestamp --verbose "$APPUSAGEROOT/usr/local/munki/libexec/$TOOL"
        SIGNING_RESULT="$?"
        if [ "$SIGNING_RESULT" -ne 0 ]; then
            echo "Error signing $TOOL: $SIGNING_RESULT"
            exit 2
        fi
    fi
done
# Set permissions.
chmod -R go-w "$APPUSAGEROOT/usr/local/munki"
chmod +x "$APPUSAGEROOT/usr/local/munki"
chmod +x "$APPUSAGEROOT/usr/local/munki/libexec"

# copy in app_usage cleanup scripts
if [ -d "$MUNKIROOT/code/tools/pkgresources/app_usage_cleanup_scripts/" ] ; then
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/app_usage_cleanup_scripts/" "$APPUSAGEROOT/usr/local/munki/cleanup/"
fi

# Create package info file.
makeinfo app_usage "$PKGTMP/info" norestart


############
## python ##
############
if [ "$PYTHONPKG" == "YES" ] ; then
    echo "Creating python package source..."

    # Create directory structure.
    PYTHONROOT="$PKGTMP/munki_python"
    mkdir -m 1775 "$PYTHONROOT"
    mkdir -m 755 "$PYTHONROOT/usr"
    mkdir -m 755 "$PYTHONROOT/usr/local"
    mkdir -m 755 "$PYTHONROOT/usr/local/munki"
    # Copy framework
    cp -R "$MUNKIROOT/Python.framework" "$PYTHONROOT/usr/local/munki/"

    # Sign Python
    if [ "$APPSIGNINGCERT" != "" ]; then
        /usr/bin/find "$PYTHONROOT/usr/local/munki/Python.framework/Versions/Current/bin" -type f -perm -u=x -exec /usr/bin/codesign --sign "$APPSIGNINGCERT" --timestamp --preserve-metadata=identifier,entitlements,flags,runtime -f {} \;
        /usr/bin/find "$PYTHONROOT/usr/local/munki/Python.framework/Versions/Current/lib" -type f -perm -u=x -exec /usr/bin/codesign --sign "$APPSIGNINGCERT" --timestamp --preserve-metadata=identifier,entitlements,flags,runtime -f {} \;
        /usr/bin/find "$PYTHONROOT/usr/local/munki/Python.framework/Versions/Current/lib" -type f -name "*dylib" -exec /usr/bin/codesign --sign "$APPSIGNINGCERT" --timestamp --preserve-metadata=identifier,entitlements,flags,runtime -f {} \;
        /usr/bin/codesign --sign "$APPSIGNINGCERT" --timestamp --deep --force --preserve-metadata=identifier,entitlements,flags,runtime "$PYTHONROOT/usr/local/munki/Python.framework/Versions/Current/Resources/Python.app"
        /usr/bin/codesign --sign "$APPSIGNINGCERT" --timestamp --force --preserve-metadata=identifier,entitlements,flags,runtime "$PYTHONROOT/usr/local/munki/Python.framework/Versions/Current/Python"
    fi
    # Create symlink
    ln -s Python.framework/Versions/Current/Resources/Python.app/Contents/MacOS/Python "$PYTHONROOT/usr/local/munki/munki-python"

    # Set permissions.
    chmod -R go-w "$PYTHONROOT/usr/local/munki"
    chmod +x "$PYTHONROOT/usr/local/munki"

    # copy in python cleanup scripts
    if [ -d "$MUNKIROOT/code/tools/pkgresources/python_cleanup_scripts/" ] ; then
        rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/python_cleanup_scripts/" "$PYTHONROOT/usr/local/munki/cleanup/"
    fi

    # Create package info file.
    makeinfo python "$PKGTMP/info" norestart
fi


################
## pythonlibs ##
################
if [ "$PYTHONLIBS" == "YES" ] ; then
    echo "Creating python libraries source..."

    # Create directory structure.
    PYTHONLIBSROOT="$PKGTMP/munki_pythonlibs"
    mkdir -m 1775 "$PYTHONLIBSROOT"
    mkdir -m  755 "$PYTHONLIBSROOT/usr"
    mkdir -m  755 "$PYTHONLIBSROOT/usr/local"
    mkdir -m  755 "$PYTHONLIBSROOT/usr/local/munki"

    # Copy python libraries.
    rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/client/munkilib/" "$PYTHONLIBSROOT/usr/local/munki/munkilib/"
    # Copy munki version.
    cp -X "$MUNKIROOT/code/client/munkilib/version.plist" "$PYTHONLIBSROOT/usr/local/munki/munkilib/"

    # add Build Number and Git Revision to version.plist
    /usr/libexec/PlistBuddy -c "Delete :BuildNumber" "$PYTHONLIBSROOT/usr/local/munki/munkilib/version.plist" 2>/dev/null
    /usr/libexec/PlistBuddy -c "Add :BuildNumber string $SVNREV" "$PYTHONLIBSROOT/usr/local/munki/munkilib/version.plist"
    /usr/libexec/PlistBuddy -c "Delete :GitRevision" "$PYTHONLIBSROOT/usr/local/munki/munkilib/version.plist" 2>/dev/null
    /usr/libexec/PlistBuddy -c "Add :GitRevision string $GITREV" "$PYTHONLIBSROOT/usr/local/munki/munkilib/version.plist"
    # Set permissions.
    chmod -R go-w "$PYTHONLIBSROOT/usr/local/munki"
    chmod +x "$PYTHONLIBSROOT/usr/local/munki"
    
    # Create package info file.
    makeinfo pythonlibs "$PKGTMP/info" norestart
fi


###############
## bootstrap ##
###############
if [ "$BOOTSTRAPPKG" == "YES" ] ;  then

    echo "Creating bootstrap package source..."

    # Create directory structure.
    BOOTSTRAPROOT="$PKGTMP/munki_bootstrap"
    mkdir -m 1775 "$BOOTSTRAPROOT"
    mkdir -p "$BOOTSTRAPROOT/Users/Shared"
    # Create bootstrap flag file
    touch "$BOOTSTRAPROOT/Users/Shared/.com.googlecode.munki.checkandinstallatstartup"

    # copy in bootstrap cleanup scripts
    if [ -d "$MUNKIROOT/code/tools/pkgresources/bootstrap_cleanup_scripts/" ] ; then
        rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/bootstrap_cleanup_scripts/" "$BOOTSTRAPROOT/usr/local/munki/cleanup/"
    fi

    # Create package info file.
    makeinfo bootstrap "$PKGTMP/info" norestart
fi


#############
## autorun ##
#############
if [ "$AUTORUNPKG" == "YES" ] ; then
    echo "Creating autorun package source..."

    # Create directory structure.
    AUTORUNROOT="$PKGTMP/munki_autorun"
    mkdir -m 1775 "$AUTORUNROOT"

    # copy in autorun cleanup scripts
    if [ -d "$MUNKIROOT/code/tools/pkgresources/autorun_cleanup_scripts/" ] ; then
        rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/bootstrap_cleanup_scripts/" "$BOOTSTRAPROOT/usr/local/munki/cleanup/"
    fi

    # Create package info file.
    makeinfo autorun "$PKGTMP/info" norestart

fi


############
## config ##
############
if [ "$CONFPKG" == "YES" ] ; then

    echo "Creating configuration package source..."

    # Create directory structure.
    CONFROOT="$PKGTMP/munki_config"
    mkdir -m 1775 "$CONFROOT"
    mkdir -p "$CONFROOT/Library/Preferences"
    # Copy prefs file
    cp "$CONFFULLPATH" "$CONFROOT/Library/Preferences/ManagedInstalls.plist"

    # copy in config cleanup scripts
    if [ -d "$MUNKIROOT/code/tools/pkgresources/config_cleanup_scripts/" ] ; then
        rsync -a --exclude '*.pyc' --exclude '.DS_Store' "$MUNKIROOT/code/tools/pkgresources/config_cleanup_scripts/" "$CONFROOT/usr/local/munki/cleanup/"
    fi

    # Create package info file.
    makeinfo config "$PKGTMP/info" norestart
fi


###############
## Rosetta 2 ##
###############
if [ "$ROSETTA2" == "YES" ] ;  then

    echo "Creating Rosetta2 package source..."

    # Create directory structure.
    ROSETTA2ROOT="$PKGTMP/munki_rosetta2"
    mkdir -m 1775 "$ROSETTA2ROOT"

    # Create package info file.
    makeinfo rosetta2 "$PKGTMP/info" norestart
fi


#################
## client cert ##
#################
if [ "$CLIENTCERTPKG" == "YES" ] ; then

    echo "Creating client cert package source..."

    # Create directory structure
    CLIENTCERTROOT="$PKGTMP/munki_clientcert"
    mkdir -m 1755 "$CLIENTCERTROOT"
    mkdir -m 755 -p "$CLIENTCERTROOT/Library/Managed Installs"
    mkdir -m 700 "$CLIENTCERTROOT/Library/Managed Installs/certs"
    # Copy cert file
    sudo cp -p "$CLIENTCERT" "$CLIENTCERTROOT/Library/Managed Installs/certs/client.pem"

    # Create package info file
    makeinfo clientcert "$PKGTMP/info" norestart
fi

#############################
## Create metapackage root ##
#############################

echo "Creating metapackage source..."

# Create root for productbuild.
METAROOT="$PKGTMP/munki_mpkg"
mkdir -p "$METAROOT/Resources"
# Configure Distribution
DISTFILE="$METAROOT/Distribution"
PKGPREFIX="#"
# Package destination directory.
PKGDEST="$METAROOT"

# Create Distribution file.
CORETITLE="Munki core tools"
COREDESC="Core command-line tools used by Munki."

ADMINTITLE="Munki admin tools"
ADMINDESC="Command-line munki admin tools."

LIBSTITLE="Swift dynamic libraries"
LIBSDESC="Swift runtime libraries for macOS 10.15 and 11"

APPTITLE="Managed Software Center"
APPDESC="Managed Software Center application."

LAUNCHDTITLE="Munki launchd files"
LAUNCHDDESC="Core Munki launch daemons and launch agents."

APPUSAGETITLE="Munki app usage monitoring tool"
APPUSAGEDESC="Munki app usage monitoring tool and launchdaemon. Optional install; if installed Munki can use data collected by this tool to automatically remove unused software."

PYTHONTITLE="Munki embedded Python"
PYTHONDESC="Embedded Python 3 framework for Munki."

PYTHONLIBSTITLE="Munki Python libraries"
PYTHONLIBSDESC="Python libraries for Munki."

BOOTSTRAPTITLE="Munki bootstrap setup"
BOOTSTRAPDESC="Enables bootstrap mode for the Munki tools."

AUTORUNTITLE="Munki auto run setup"
AUTORUNDESC="Triggers an managedsoftwareupdate --auto run immediately after install."

CONFTITLE="Munki tools configuration"
CONFDESC="Sets initial preferences for Munki tools."

ROSETTA2TITLE="Install Rosetta2"
ROSETTA2DESC="Installs Rosetta2 for ARM-based hardware."

CLIENTCERTTITLE="Munki client certificate"
CLIENTCERTDESC="Required client certificate for Munki."

PYTHONOUTLINE=""
PYTHONCHOICE=""
PYTHONREF=""
if [ "$PYTHONPKG" == "YES" ] ; then
    PYTHONOUTLINE="<line choice=\"python\"/>"
    PYTHONCHOICE="<choice id=\"python\" title=\"$PYTHONTITLE\" description=\"$PYTHONDESC\">
        <pkg-ref id=\"$PKGID.python\"/>
    </choice>"
    PYTHONREF="<pkg-ref id=\"$PKGID.python\" auth=\"Root\">${PKGPREFIX}munkitools_python.pkg</pkg-ref>"
fi

PYTHONLIBSOUTLINE=""
PYTHONLIBSCHOICE=""
PYTHONLIBSREF=""
if [ "$PYTHONLIBS" == "YES" ] ; then
    PYTHONLIBSOUTLINE="<line choice=\"pythonlibs\"/>"
    PYTHONLIBSCHOICE="<choice id=\"pythonlibs\" title=\"$PYTHONLIBSTITLE\" description=\"$PYTHONLIBSDESC\">
        <pkg-ref id=\"$PKGID.pythonlibs\"/>
    </choice>"
    PYTHONLIBSREF="<pkg-ref id=\"$PKGID.pythonlibs\" auth=\"Root\">${PKGPREFIX}munkitools_pythonlibs.pkg</pkg-ref>"
fi

BOOTSTRAPOUTLINE=""
BOOTSTRAPCHOICE=""
BOOTSTRAPREF=""
if [ "$BOOTSTRAPPKG" == "YES" ] ; then
    BOOTSTRAPOUTLINE="<line choice=\"bootstrap\"/>"
    BOOTSTRAPCHOICE="<choice id=\"bootstrap\" title=\"$BOOTSTRAPTITLE\" description=\"$BOOTSTRAPDESC\">
        <pkg-ref id=\"$PKGID.bootstrap\"/>
    </choice>"
    BOOTSTRAPREF="<pkg-ref id=\"$PKGID.bootstrap\" auth=\"Root\">${PKGPREFIX}munkitools_bootstrap.pkg</pkg-ref>"
fi

AUTORUNOUTLINE=""
AUTORUNCHOICE=""
AUTORUNREF=""
if [ "$AUTORUNPKG" == "YES" ] ; then
    AUTORUNOUTLINE="<line choice=\"autorun\"/>"
    AUTORUNCHOICE="<choice id=\"autorun\" title=\"$AUTORUNTITLE\" description=\"$AUTORUNDESC\">
        <pkg-ref id=\"$PKGID.autorun\"/>
    </choice>"
    AUTORUNREF="<pkg-ref id=\"$PKGID.autorun\" auth=\"Root\">${PKGPREFIX}munkitools_autorun.pkg</pkg-ref>"
fi

CONFOUTLINE=""
CONFCHOICE=""
CONFREF=""
if [ "$CONFPKG" == "YES" ]; then
    CONFOUTLINE="<line choice=\"config\"/>"
    CONFCHOICE="<choice id=\"config\" title=\"$CONFTITLE\" description=\"$CONFDESC\">
        <pkg-ref id=\"$PKGID.config\"/>
    </choice>"
    CONFREF="<pkg-ref id=\"$PKGID.config\" auth=\"Root\">${PKGPREFIX}munkitools_config.pkg</pkg-ref>"
fi

ROSETTA2OUTLINE=""
ROSETTA2CHOICE=""
ROSETTA2REF=""
HOSTARCHITECTURES=""
if [ "$ROSETTA2" == "YES" ]; then
    ROSETTA2OUTLINE="<line choice=\"rosetta2\"/>"
    ROSETTA2CHOICE="<choice id=\"rosetta2\" title=\"$ROSETTA2TITLE\" description=\"$ROSETTA2DESC\">
        <pkg-ref id=\"$PKGID.rosetta2\"/>
    </choice>"
    ROSETTA2REF="<pkg-ref id=\"$PKGID.rosetta2\" auth=\"Root\">${PKGPREFIX}munkitools_rosetta2.pkg</pkg-ref>"
    HOSTARCHITECTURES="hostArchitectures=\"x86_64,arm64\""
fi

CLIENTCERTOUTLINE=""
CLIENTCERTCHOICE=""
CLIENTCERTREF=""
if [ "$CLIENTCERTPKG" == "YES" ]; then
    CLIENTCERTOUTLINE="<line choice=\"clientcert\"/>"
    CLIENTCERTCHOICE="<choice id=\"clientcert\" title=\"$CLIENTCERTTITLE\" description=\"$CLIENTCERTDESC\">
        <pkg-ref id=\"$PKGID.clientcert\"/>
    </choice>"
    CLIENTCERTREF="<pkg-ref id=\"$PKGID.clientcert\" auth=\"Root\">${PKGPREFIX}munkitools_clientcert.pkg</pkg-ref>"
fi

cat > "$DISTFILE" <<EOF
<?xml version="1.0" encoding="utf-8"?>
<installer-script minSpecVersion="1.000000">
    <title>Munki - Software Management for $ORGNAME</title>
    <volume-check>
        <allowed-os-versions>
            <os-version min="10.15"/>
        </allowed-os-versions>
    </volume-check>
    <options hostArchitectures="x86_64,arm64" customize="allow" allow-external-scripts="no"/>
    <domains enable_anywhere="true"/>
    <choices-outline>
        $ROSETTA2OUTLINE
        <line choice="core"/>
        <line choice="admin"/>
        <line choice="app"/>
        <line choice="app_usage"/>
        <line choice="launchd"/>
        $PYTHONOUTLINE
        $PYTHONLIBSOUTLINE
        $BOOTSTRAPOUTLINE
        $CONFOUTLINE
        $CLIENTCERTOUTLINE
        $AUTORUNOUTLINE
        <line choice="libs"/>
    </choices-outline>
    $ROSETTA2CHOICE
    <choice id="core" title="$CORETITLE" description="$COREDESC">
        <pkg-ref id="$PKGID.core"/>
    </choice>
    <choice id="admin" title="$ADMINTITLE" description="$ADMINDESC">
        <pkg-ref id="$PKGID.admin"/>
    </choice>
    <choice id="libs" title="$LIBSTITLE" description="$LIBSDESC" enabled='false' selected='system.compareVersions(system.version.ProductVersion, "12.0") &lt; 0'>
        <pkg-ref id="$PKGID.libs"/>
    </choice>
    <choice id="app" title="$APPTITLE" description="$APPDESC">
        <pkg-ref id="$PKGID.app"/>
    </choice>
    <choice id="app_usage" title="$APPUSAGETITLE" description="$APPUSAGEDESC">
        <pkg-ref id="$PKGID.app_usage"/>
    </choice>
     <choice id="launchd" title="$LAUNCHDTITLE" description="$LAUNCHDDESC">
        <pkg-ref id="$PKGID.launchd"/>
    </choice>
    $PYTHONCHOICE
    $PYTHONLIBSCHOICE
    $BOOTSTRAPCHOICE
    $CONFCHOICE
    $CLIENTCERTCHOICE
    $AUTORUNCHOICE
    $ROSETTA2REF
    <pkg-ref id="$PKGID.core" auth="Root">${PKGPREFIX}munkitools_core.pkg</pkg-ref>
    <pkg-ref id="$PKGID.admin" auth="Root">${PKGPREFIX}munkitools_admin.pkg</pkg-ref>
    <pkg-ref id="$PKGID.libs" auth="Root">${PKGPREFIX}munkitools_libs.pkg</pkg-ref>
    <pkg-ref id="$PKGID.app" auth="Root">${PKGPREFIX}munkitools_app.pkg</pkg-ref>
    <pkg-ref id="$PKGID.app_usage" auth="Root">${PKGPREFIX}munkitools_app_usage.pkg</pkg-ref>
    <pkg-ref id="$PKGID.launchd" auth="Root">${PKGPREFIX}munkitools_launchd.pkg</pkg-ref>
    $PYTHONREF
    $PYTHONLIBSREF
    $BOOTSTRAPREF
    $CONFREF
    $CLIENTCERTREF
    $AUTORUNREF
    <product id="$PKGID" version="$VERSION" />
</installer-script>
EOF

###################
## Set ownership ##
###################

echo "Setting ownership to root..."

sudo chown root:admin "$COREROOT" "$ADMINROOT" "$LIBSROOT" "$APPROOT" "$LAUNCHDROOT"
sudo chown -hR root:wheel "$COREROOT/usr"
sudo chown -hR root:admin "$COREROOT/Library"
sudo chown -hR root:wheel "$COREROOT/private"

sudo chown -hR root:wheel "$ADMINROOT/usr"
sudo chown -hR root:wheel "$ADMINROOT/private"

sudo chown -hR root:wheel "$LIBSROOT/usr"

sudo chown -hR root:admin "$APPROOT/Applications"

sudo chown root:admin "$LAUNCHDROOT/Library"
sudo chown -hR root:wheel "$LAUNCHDROOT/Library/LaunchDaemons"
sudo chown -hR root:wheel "$LAUNCHDROOT/Library/LaunchAgents"

sudo chown root:admin "$APPUSAGEROOT/Library"
sudo chown -hR root:wheel "$APPUSAGEROOT/Library/LaunchDaemons"
sudo chown -hR root:wheel "$APPUSAGEROOT/Library/LaunchAgents"
sudo chown -hR root:wheel "$APPUSAGEROOT/usr"

if [ "$PYTHONPKG" == "YES" ] ; then
    sudo chown -hR root:wheel "$PYTHONROOT/usr"
fi

if [ "$PYTHONLIBS" == "YES" ] ; then
    sudo chown -hR root:wheel "$PYTHONLIBSROOT/usr"
fi

if [ "$BOOTSTRAPPKG" == "YES" ] ; then
    sudo chown -hR root:admin "$BOOTSTRAPROOT"
fi

if [ "$AUTORUNPKG" == "YES" ] ; then
    sudo chown -hR root:admin "$AUTORUNROOT"
fi

if [ "$CONFPKG" == "YES" ] ; then
    sudo chown -hR root:admin "$CONFROOT"
fi

if [ "$ROSETTA2" == "YES" ] ; then
    sudo chown -hR root:admin "$ROSETTA2ROOT"
fi

if [ "$CLIENTCERTPKG" == "YES" ] ; then
    sudo chown -hR root:admin "$CLIENTCERTROOT"
fi

ALLPKGS="core admin libs app launchd app_usage"
if [ "$PYTHONPKG" == "YES" ] ; then 
    ALLPKGS="${ALLPKGS} python"
fi
if [ "$PYTHONLIBS" == "YES" ] ; then 
    ALLPKGS="${ALLPKGS} pythonlibs"
fi
if [ "$BOOTSTRAPPKG" == "YES" ] ; then
    ALLPKGS="${ALLPKGS} bootstrap"
fi
if [ "$AUTORUNPKG" == "YES" ] ; then
    ALLPKGS="${ALLPKGS} autorun"
fi
if [ "$CONFPKG" == "YES" ] ; then
    ALLPKGS="${ALLPKGS} config"
fi
if [ "$ROSETTA2" == "YES" ] ; then
    ALLPKGS="${ALLPKGS} rosetta2"
fi
if [ "$CLIENTCERTPKG" == "YES" ] ; then
    ALLPKGS="${ALLPKGS} clientcert"
fi

######################
## Run pkgbuild ##
######################
CURRENTUSER=$(whoami)
for pkg in $ALLPKGS ; do
    case $pkg in
        "app")
            ver="$APPSVERSION"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_app"
            ;;
        "launchd")
            ver="$LAUNCHDVERSION"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_launchd"
            ;;
        "app_usage")
            ver="$VERSION"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_app_usage"
            ;;
        "python")
            ver="$PYTHONVERSION"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_python"
            ;;
        "pythonlibs")
            ver="$PYTHONLIBSVERSION"
            SCRIPTS=""
            ;;
        "bootstrap")
            ver="1.0"
            SCRIPTS=""
            ;;
        "autorun")
            ver="1.0"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_autorun"
            ;;
        "config")
            ver="1.0"
            SCRIPTS=""
            ;;
        "clientcert")
            ver="1.0"
            SCRIPTS=""
            ;;
        "rosetta2")
            ver="1.0"
            SCRIPTS="${MUNKIROOT}/code/tools/pkgresources/Scripts_rosetta2"
            ;;
        "libs")
            ver="5.5"
            ;;
        *)
            ver="$VERSION"
            SCRIPTS=""
            ;;
    esac
    echo
    echo "Packaging munkitools_$pkg.pkg"

    # use sudo here so pkgutil doesn't complain when it tries to
    # descend into root/Library/Managed Installs/*

    # Use pkgutil --analyze to build a component property list
    # then turn off bundle relocation
    sudo /usr/bin/pkgbuild \
        --analyze \
        --root "$PKGTMP/munki_$pkg" \
        "${PKGTMP}/munki_${pkg}_component.plist"
    if [ "$pkg" == "app" ]; then
        # change BundleIsRelocatable from true to false
        sudo /usr/libexec/PlistBuddy \
            -c 'Set :0:BundleIsRelocatable false' \
            "${PKGTMP}/munki_${pkg}_component.plist"
    fi

    if [ "$SCRIPTS" != "" ]; then
        sudo /usr/bin/pkgbuild \
            --root "$PKGTMP/munki_$pkg" \
            --identifier "$PKGID.$pkg" \
            --version "$ver" \
            --ownership preserve \
            --info "$PKGTMP/info_$pkg" \
            --component-plist "${PKGTMP}/munki_${pkg}_component.plist" \
            --scripts "$SCRIPTS" \
            "$PKGDEST/munkitools_$pkg.pkg"
    else
        sudo /usr/bin/pkgbuild \
            --root "$PKGTMP/munki_$pkg" \
            --identifier "$PKGID.$pkg" \
            --version "$ver" \
            --ownership preserve \
            --info "$PKGTMP/info_$pkg" \
            --component-plist "${PKGTMP}/munki_${pkg}_component.plist" \
            "$PKGDEST/munkitools_$pkg.pkg"
    fi

    if [ "$?" -ne 0 ]; then
        echo "Error building munkitools_$pkg.pkg."
        echo "Attempting to clean up temporary files..."
        sudo rm -rf "$PKGTMP"
        exit 2
    else
        # set ownership of package back to current user
        sudo chown -R "$CURRENTUSER" "$PKGDEST/munkitools_$pkg.pkg"
    fi
done

echo
# build distribution pkg from the components
# Sign package if specified with options.
if [ "$PKGSIGNINGCERT" != "" ]; then
     /usr/bin/productbuild \
        --distribution "$DISTFILE" \
        --package-path "$METAROOT" \
        --resources "$METAROOT/Resources" \
        --sign "$PKGSIGNINGCERT" \
        "$DISTPKG"
else
    /usr/bin/productbuild \
        --distribution "$DISTFILE" \
        --package-path "$METAROOT" \
        --resources "$METAROOT/Resources" \
        "$DISTPKG"
fi

if [ "$?" -ne 0 ]; then
    echo "Error creating $DISTPKG."
    echo "Attempting to clean up temporary files..."
    sudo rm -rf "$PKGTMP"
    exit 2
fi

echo "Distribution package created at $DISTPKG."
echo
echo "Removing temporary files..."
#sudo rm -rf "$PKGTMP"

echo "Done."
